The typical rationale is that this kind of obfuscation prevents the email address from being automatically recognized and harvested by spammers. In an age where spammers can beat all but the most diabolical captchas, is this really true? And given how effective modern spam filters are, does it really matter if your email address is harvested?

Questions on Super User are expected to relate to computer software or computer hardware within the scope defined by the community. Consider editing the question or leaving comments for improvement if you believe the question can be reworded to fit within the scope. Read more about reopening questions here.
If this question can be reworded to fit the rules in the help center, please edit the question.

8

Google's word on this is that turning @ into at of any form makes it easier to find on Google. Even with a ten year old hotmail address, I can link nearly all of my spam to times I gave away my address (fake names, etc). I don't get much spam from my email being publicly findable.
–
tobylaneJan 21 '11 at 10:53

Dupe: it was asked 1 year ago on SO. The interesting thing is that the accepted answer was the same of this post linking the same article
–
systempuntooutJan 22 '11 at 0:22

It's not obfuscation, but I would say this is a good place to use disposable email addresses and rotate the addresses periodically (ie, automatically), with the idea that harvesters won't use the information as quickly as legitimate correspondents will.
–
StephanieJul 28 '11 at 1:02

+1 for empirical data. Now someone should repeat the study...
–
RBerteigJan 21 '11 at 8:33

46

Unfortunately, what this doesn't show is the number of real users who avoided sending email because the address was hard to retrieve in the various formats. I'm sure that number would be small, but it's unlikely to be zero
–
GarethJan 21 '11 at 12:02

@Gareth: the real-email-addresss is plainly visible with methods 1, 2, 6, 7 and 8, with 2 and 5 they are (re)built by jscript and are again clearly visible and even work with "mailto:" (coz the jscript modifies the dom so it all looks good). you will notice that the most effective methods are the ones that result in "the user has to do nothing to read / interpret" the mailaddress. "visible" means "you can just copy N paste the email off your browser.
–
akiraJan 21 '11 at 13:53

40

When I copied the rtl example on the linked page (Chrome 8, Mac), moc.etalllit@7raboofnavlis ended up on my clipboard. So, maybe this is not so practical for real-world use.
–
SidniciousJan 21 '11 at 18:14

@iain, example.com is not suffering anything, but a test domain by design, just like example.net and a few others. There are no email handlers defined for example.com.
–
ArjanJan 23 '11 at 13:36

6

If you've ever read the RFC (rfc-editor.org/rfc/rfc2606.txt) you'd know that "example.com" (and .net and .org) are officially reserved domain names. But using a "fake" domain name that's not officially reserved is not nice to the proper domain holder (if any). There's no pantsexample.com currently registered, but there could have been.
–
thrillscienceJan 24 '11 at 3:01

48

A friend of mine favoured 'xxx' for 'things which haven't been filled out yet' in her HTML templates. This was regrettable in one memorable client meeting when someone clicked on an 'xxx.com' link in her demo page...
–
ijwJan 24 '11 at 14:00

5

> In fact I don't get any email. Sounds good to me.
–
SynetechFeb 20 '12 at 1:40

There was an interesting article by Cory Doctorow recently on this subject here which argued that email obfuscation doesn't serve much purpose, and a more optimal approach is intelligently managing the spam you get.

TL;DR version:

The objective of this entire exercise is not to reduce the amount of spam you get in your email, but the amount of spam you manually have to remove from your inbox.

Email obfuscation is a constant battle to come up with ever sophisticated bot-proof, human-readable encoding, and is a drain on the productivity of both the creator, and the correspondent.

"Almost any email address that you use for any length of time eventually becomes widely enough known that you should assume all the spammers have it."

"The convenience of stable, easily copy-pastable email addresses" wins over trying to hide from the spambots.

+1 - gmail has largely made dealing with spam a thing of the past.
–
Jason BakerJan 21 '11 at 19:43

8

This is true iff you believe that spam's cost is entirely in the mental effort of processing it. If you believe that some of spam's cost is in bandwidth, or in maintaining spam filters, then preventing spam reaching your inbox in the first place is a worthy goal. Both of these elements have an ongoing cost (a parallel to the 'improving your obsfuscation' element in the discussion), it's just that services like Google are willing to provide it for the price of being able to read all your private correspondence.
–
ijwJan 24 '11 at 14:05

1

@ijw - The ongoing cost of a team of a few people at Google maintaining the spam filter system will always be less than making their hundreds of millions of customers do anything at all. Assuming that spam is kept to a reasonable amount, the bandwidth probably isn't much of an issue either.
–
Kevin VermeerJan 25 '11 at 21:08

True, and spammers probably realize that people that obfuscate their email address don't want and won't fall for spam anyway, but on the flip side there are some harvesters that get paid per address for whom it would be trivial to identify some of the basic obfuscation patterns (having "gmail" on the page is a start)
–
Kyle CroninJan 21 '11 at 4:59

5

Exactly. Not to mention the performance hit on a parser to use such a pattern when processing that much data.
–
John TJan 21 '11 at 5:06

4

I don't obfuscate my email, fwiw I haven't seen any difference w/ & w/o obfuscation. Even if it does go through, Gmail does a pretty good job of catching spam, and even if it doesn't I just hit that Report Spam button.
–
Sathya♦Jan 21 '11 at 5:32

6

OTOH, if a spammer see an obfuscated mail address, he can be sure that this is a really used email address, else why obfuscating it?. Note that the spammer doesn't care if spamming is effective, but he cares how many of the recipient actually get the spam. He sells spam services, not products.
–
Elazar LeibovichJan 21 '11 at 7:40

Anything that is done by lots of people will be defeated, but if you hide your email address in a way that not many web sites do, then the spammers will not invest the money in finding it. (They are trying to make money so will only invest a lot when the returns are high.)

So don't use a method other people use, come up with your own, this is one I have just come up with: (Don't all copy it, or it will stop working)

Email remove all numbers and use the
same domain as my web site is on
i23an@notMyDomain.com

Spammers depend on "spamware vendors" to take care of the technical details involved with extracting eMail addresses from web sites (and from other sources, such as word processor documents and spreadsheets, sometimes obtained via SpyWare). So, you'll be fine until a spamware vendor notices what you're doing (and can figure out how to counter it). +1 because this answer uses a logical argument that is generally correct.
–
Randolf RichardsonAug 12 '11 at 4:13

@Randolf, no "spamware vendors" will make the efort for less then a few 100 email address, so anythink that is "different" is lickly to work as a one of for most people's website
–
Ian RingroseAug 12 '11 at 15:02

I actually agree with you (and I see your comment as further support for mine) because the spamware vendors will view that as a feature that sets them ahead of their competition (namely, other spamware vendors) -- your estimation of less than a few hundred eMail addresses seems correct to me (+1 for your comment, except it's not working as a pink box appears so I'll try again later).
–
Randolf RichardsonAug 12 '11 at 16:38

1

> Anything that is done by lots of people will be defeated Agreed, but replace “defeated” with exploited. That’s why hackers have seldom bothered with writing malware for Apples or Linux. Whether or not they are “more secure than Windows” is irrelevant; those targets were simply not worth the time. At least, that used to be the case. These days, Apple has a much bigger user base, making for a more attractive target, and Linux is used on more business servers. It is the same with security measures. If cracking it gains you little, most won’t bother. If cracking it gains you the world, well…
–
SynetechFeb 20 '12 at 1:50

Spammers are not the NSA. It is not important for them to crack your obfuscation. Any effort made to disguise your email address is probably sufficient to the task.

The more interesting question is, why not just use a disposable email account as a cutoff to filter responses on public forums? That way you don't care if the account gets spam, and after vetting legitimate responses you can contact your correspondents via your regular email account.

Yes it is true in most cases because you need a pattern for email harvesting, the more complex the pattern the more expensive (time/money) it is for spammers to work at getting emails. Of course nothing stops manual harvesting, but that is very low. The thing that is usually done is non JS encoded, plain text emails are harvested (check any 1-2 year old website that is unchanged, and I bet you $20 bucks its plain text email and they get tons of spam).

At my company all the external facing emails are obfuscated using a series of server side & JS client side methods.

So an email never really looks like an email, and the pattern ALWAYS changes. You would be surprised how well this method works, sure some methods are compromised and easily broken, but more elaborate methods of email obfuscation usually make the harvesting pointless as the sheer amount of pattern detection would require a lot of invested resources.

Brute force of CAPTCHAS is different, where the hackers/spammers/harvesters TARGET a specific site. This does not really apply to small mom & pop websites who might use a myriad of obfuscation methods, or sites where users post different format emails in a variety of email obfuscation ways (omitting the .com or .net, etc).

Most harvesters are not Javascript aware, that is they do not process JS. Making those methods more costly for harvesters. There are some harvesters that do try to process JS, but like I said it is very costly when you are running millions of emails in a matter of minutes, you don't want to go down to 10s or 100s if you can do 1000s.

My method of doing an each time random method works very well, I have yet to get any spam on my account.

Neat idea using JS to obfuscate the email address, but in most cases (like in an email, on this site, etc) that's not really an option. However, I agree that it should be standard practice on sites that allow users to expose their email to other users.
–
Kyle CroninJan 21 '11 at 5:03

Some spammers are using OCR to get around the graphic element, but as far as I know this is still quite rare so that should continue to work fine for you as long as blind users don't need to contact you. +1 for sharing some useful ideas.
–
Randolf RichardsonAug 12 '11 at 4:10

JS obfuscation does work up to a point with simple wget based harvesters, but I guess that JS enabled IE instances are also being employed, and they can read what the webuser would see.

When the address is harvested, or stolen via a security breach on one of your favourite sites as it eventually will, it'll be out there being replicated on spammers lists forever.

My own email address is so old it predates spam, and therefore visible all over the net, so I get thousands of attempts to deliver per week... bring it on! I have had time to develop a sophisticated system that effectively turns it into a spamtrap, with high scoring stuff auto reported to spamcop to aid the community.

Spam will be defeated one day, and I seen encouraging signs that it is in decline.

One thing that worked very good for me is using ASP.NET to create a "LinkButton". This linkbutton then has a Response.Redirect("mailto:MailAddress"); as the "onClick" action. This will result in the LinkButton having a javascript:DoPostBack(...) as the URL. In the end it makes a server request which returns a "redirect to the mail address". The farm bots never got this email.

probably no user had a chance to complain about unability to send any feedback too :)
–
Free ConsultingJan 21 '11 at 16:09

1

this will only work if a lot of other people don't start doing it.
–
Ian RingroseJan 21 '11 at 16:55

@Worm: This worked with every browser I've tested it. If you redirect to a mailto, it'll work. @Ian: Yeah, I hope it stays that way, or bots will start listening for redirects on JS postbacks. If you put a ScriptManager there it will go a lot more... "obfuscate" though. It will first make a JS AJAX postback with then returns a command to go to the mailto.
–
sinni800Jan 21 '11 at 22:35

1

I'd like to see generated code for it, as i have no idea about ASP.NET stuff
–
Free ConsultingJan 22 '11 at 0:33

I don't think it helps a whole lot using standard [AT] and [DOT], but using either words that mean things or can be realized to mean at and dot...or even _A((T>> or anything else that is reasonably random...just my thoughts on the matter.

I put my email address in the clear on the web everywhere, and contrary to popular belief this doesn't seem to have any effect on the amount of spam that I receive. It's been stable at an average of 3 per day for a long time. So I'd say that obfuscation is useless.

I do notice that very short usernames (e.g. wim@example.com) result in more spam. Apparently the email addresses used by spammers are simply generated by trying all possible short letter combinations, and by using name lists.

There's a lot of guessing, dictionary attacks, and various other techniques being used by spammers. Also, common addresses like info@ and sales@ are just assumed to pretty much always be valid (and often are for many domains). There's also a time delay wherein spam increases for an address the longer the spammers know about it because they sell lists to each other. I operate a number of spam traps and have noticed that the spam generally increases over time despite blocking based on a combination of DNS-based blacklists and filters.
–
Randolf RichardsonAug 12 '11 at 4:06

If you try to search for email-adresses with google, you will find out, that it is really hard, and google for some reason has not much of them in the form "common.name@wellknown.domain" - maybe a self restriciton?

If I search for "maier[at]berlin.de", I find more hits, than if I search for "maier@berlin.de", and the @ seems to work as a joker sign. The hits aren't really mailadresses.

And on the other side, you want your customers (if you have such, and contact them in the web) use a comfortable mailto-link, without fiddling around and removing fancy pants.

So if you still don't trust google, bing, bong and zong (maybe they sell mailadresses seperately?), you can compose your email adress with a little bit of Javascript:

From my experience with Sblam! filter there's a lot of technically incompetent spammers, who nevertheless keep trying, probably because there's a lot of unprotected mails to harvest (and unprotected sites to spam), so even simple obfuscation might stop some harvesters.

OTOH updating regular expression in a harvester to look for (@| AT ) is not rocket science and probably some spammers did it already.

Anyway, I think that puzzles that annoy humans are not worth it. I've devised standards-compliant obfuscation that encodes mails with entities, urlencoding and adds untypical constructs to the URL and HTML:

This gives link that is readable and fully functional for real users, but can be harvested only by spammers who take effort to parse HTML and URL correctly (it might avoid some spam, or at least it promotes web standards among harvester writers! ;)